Simple Pro POS Malware Could Cause Retail Havoc this Christmas

Security experts have warned US businesses which still haven’t invested in chip and PIN (EMV) readers to remain extra vigilant this holiday season, after revealing more details on a new Point of Sale (POS) malware.

Although Pro POS was first discovered on underground forums late last month, Cisco’s Talos team has given it the once over in a detailed analysis here.

Researchers Ben Baker and Earl Carter explained that its functionality is actually less extensive and sophisticated than at first thought.

It was believed that the malware had Tor support, rootkit functionality, a polymorphic engine and various in-built mechanisms to avoid detection.

However, after analyzing version 1.1.5b of the malware, Talos found that few of these capabilities existed:

“We did not identify any significant mechanisms to avoid antivirus detection, other than a trivial packer that seemed to be more for compression than obfuscation. Unless you include tor2web, we did not find support for Tor. We did not find a polymorphic engine. And finally, we did observe a rootkit being installed but it did not appear to be used by the malware.”

In fact, Pro POS is basically a modified version of the Alina malware family whose source code leaked earlier this year.

The rootkit is described as “minimalistic” and poorly designed, while the control panel doesn’t use PHP obfuscation, which meant it was easy to reverse the network protocol, Talos claimed.

“One of the PHP files contains a vulnerability that leads to arbitrary PHP execution,” the researchers revealed. “Obviously security wasn’t a major concern when developing this malware.”

Yet despite these shortcomings Pro POS has the potential to cause retailers significant headaches this Christmas.

It’s designed to lift card data and even check whether said details could be used internationally.

“Since PoS malware like Pro PoS is available for purchase, it is even easier for threat actors to utilize it to steal payment card data,” Talos concluded.

“Businesses who utilize payment card readers that are not chip-enabled will need to remain extra vigilant and adhere to industry best practices to ensure coverage and protection against these advancing malware threats, especially during the holiday season.”